Discovery scanning

A discovery scan finds, identifies, and builds an inventory of all the connected devices and assets on your internal network. Running a discovery scan routinely will help you keep track of and know exactly what is on your network.

Discovery scans are configured by site, Explorer, and scope. In order to run a scan against a specific site, an Explorer must be activated and either assigned to that site or configured for all sites.

When creating a new scan, you have multiple parameters you can set, ranging from scheduling a date to more advanced options. To launch a discovery scan, browse to the Inventory page, click the Scan menu in the upper right, and select Standard Scan.

Site

runZero organizes information into organizations and sites. Organizations are distinct entities that are useful for keeping data separate and contain a collection of sites. Sites are used to model segmented networks, particularly independent networks which use the same private IP address ranges.

For example, you might have multiple physical locations with their own local networks, all using the 10.0.0.0/8 private IP range. By defining them as sites, you can set up an Explorer for each, and the networks and assets will be treated as completely independent even if similar systems are seen at the same IP addresses in each.

Since scan analysis occurs at the site level, the boundaries you define for a site set the default scope for scans for that site.

Explorer

Select the Explorer to run the scan from, chosen from the set of registered Explorers for the site. The Explorer you choose must be able to directly communicate with the networks and addresses you define for the discovery scope.

The chosen Explorer should ideally be able to reach all addresses in the scope directly, without a firewall in the way. Stateful firewalls and VPN gateways may interfere with the discovery process.

Hosted zone

Community Platform

runZero Platform users can perform scans of public IP space using runZero-hosted scanners. When creating a scan, set the Explorer to None and choose a hosted zone from which to scan. When using this option, the discovery scope must use public IP addresses or ranges, or resolve to public IP space.

Discovery scope

The discovery scope defines the IP addresses that will be scanned. The scope uses the site settings when specified as they keyword “defaults”, but may be changed on a per scan basis as well. The scope should include at least one IP address or hostname. IPv4 address ranges can be specified in most standard formats:

  • 10.0.0.1
  • 10.0.0.0/24
  • 10.0.0.0/255.255.255.0
  • 10.0.0.1-10.0.0.255

IPv6 addresses can be specified individually, but IPv6 ranges are not supported.

Hostnames specified in the scope will be resolved at runtime by the assigned Explorer. If the hostname returns multiple IP addresses, all addresses in the response will be scanned. Hostnames can also have masks applied, indicating that the mask should expand to each resolved address of the hostname. For example, if example.com resolves to both 1.2.3.4 and 5.6.7.8, the input of example.com/24 would become 1.2.3.0/24 and 5.6.7.0/24. IPv6 addresses returned from hostname resolution will be scanned if the Explorer has a valid IPv6 address and route to the target.

Note that the Explorer scans addresses in random order. Subnets are scanned in a random order, and within each subnet the IP addresses are also scanned in a random order. This is done to avoid concentrating traffic in particular parts of the network.

Discovery keywords

The following keywords are supported for both scan scopes and exclusions.

  • asn4: The asn4:<AS number> keyword can be used to specify IPv4 ranges associated with a given AS number.

  • country4: The country4:<ISO code> keyword can be used to specify IPv4 ranges associated with a given two-character country code.

  • public and private: The public:<mode> and private:<mode> keywords can be used to specify IPv4 and IPv6 addresses associated with assets in the current organization. The mode parameter can be set to all, primary, or secondary to indicate which IP addresses are used. The public keyword selects all non-reserved IP addresses associated with organization assets. The private keyword selects all RFC-1918 and private use IP addresses associated with organization assets.

  • domain: The domain:<domain> keyword is available to cloud-hosted users and uses the syntax domain:<domain name> to automatically select publicly-known hostnames for a given domain name.

Scan name

You can assign a name to your Scan task to make it easier to keep track of.

Scan speed

Specify the maximum packet rate for the overall discovery process, in network packets per second. 500 is conservative, 3000 works for most LANs including WiFi, 10000 or more may be helpful for large sites with fast connectivity.

The scan speed directly affects how long the scan will take to complete. An approximate formula is:

time in seconds = hosts Ă— ports Ă— attempts Ă· scan speed

The number of hosts scanned is primarily determined by the discovery scope. The number of ports is around 500 by default, and three attempts are made to connect.

The number of hosts and ports scanned can be affected by the advanced scan options, and speed can also be impacted by maximum host rate and group size; see the descriptions of the advanced scan options below.

Note also that this formula doesn’t take into account time taken to take screenshots, follow web server redirects, or process the scan data.

Schedule

You can set a date and frequency for your scan task. Dates and times take into account your browser’s advertised timezone.

Scans scheduled to start in the past will be launched immediately and then repeated at the specified time based at the frequency selected.

Scheduling grace period

Specify the number of hours to wait for an available Explorer before giving up on this scan. A zero or negative value will result in the scan retrying indefinitely until an Explorer becomes available.

Scan duration limit

You can specify a number of hours to limit scan duration to; if scanning is still in progress after this time has elapsed, the scan will be canceled. This does not limit processing time.

If you set this to 0, no limit is applied.

Advanced scan options

The Advanced tab can be used to display and modify additional scan settings, such as network exclusions, scan speed, the ports covered by the TCP scan, and which probes are enabled. The default settings should work for most organizations but may need to be tweaked for slow networks or unreliable links.

Maximum host rate

As well as setting an overall scan rate in packets per second, you can also control the maximum rate at which packets are sent to any single host IP address. This is useful when you have devices which are easily overloaded by network traffic. The default should be safe for most systems.

Max group size

When runZero scans your network, it spreads the scan load across many IP addresses at once. The max group size determines how many IP addresses can be actively scanned at once – allowing for the fact that hosts may take some time to respond to probes. The max group size needs to be at least as large as the overall scan speed, or else it would limit the speed of the scan to below the set value. If you provide a value that’s lower than the overall scan speed, it will be increased automatically at scan time.

The max group size is mostly useful when dealing with stateful network devices that can only track a limited number of connections at once, as a way to restrict how many active TCP sessions will result from a runZero scan.

Max TTL

The IP standards define a maximum hop count for packets. In IPv4, this is called the Time To Live or TTL, while on IPv6 this is called the Hop Limit. Every device processing a packet must decrease the TTL or Hop Limit one. If this value reaches zero, the route receiving the packet must discard the packet. This setting can be used to set the maximum hop limit for scan traffic.

ToS

The IP standards define a Type of Service or ToS for packets. In IPv4, this is called the Type of Service or ToS, while on IPv6 this is called the Traffic Class or TC. The ToS or Traffic Class is used by switches and routers to prioritize network traffic. The lower bits of the IPv4 ToS are also used for congestion controller. This setting can be used to set the ToS or Traffic Class for scan traffic. Please note that the ToS/Traffic Class settings do not apply to all traffic sent by runZero, but instead are limited to the basic discovery probes. Some protocols, such as SNMP, and integrations, such as VMware, do not set the ToS/Traffic Class fields on their corresponding packets. If all scan traffic must be consistently tagged with the correct ToS or Traffic Class, this can be accomplished through settings on the managed switch port instead.

TCP ports

The Included TCP ports and Excluded TCP ports fields can be used to override the default scan ports. The string “defaults” will lookup the current default port list at scan time. The current port list is:

1 7 9 13 17 19 21 22 23 25 37 42 43 49 53 69 70 79 80 81 82 83 84 85 88 102 105 109 110 111 113 119 123 135 137 139 143 161 179 222 264 280 384 389 402 407 442 443 444 445 465 500 502 512 513 515 523 524 540 541 548 554 587 617 623 631 636 664 689 705 717 743 771 783 830 873 888 902 903 910 912 921 990 993 995 998 1000 1024 1030 1035 1080 1083 1089 1090 1091 1098 1099 1100 1101 1102 1103 1128 1129 1158 1199 1211 1220 1234 1241 1260 1270 1300 1311 1352 1433 1434 1440 1443 1468 1494 1514 1521 1530 1533 1581 1582 1583 1604 1610 1611 1723 1755 1801 1811 1830 1883 1900 2000 2002 2021 2023 2049 2068 2074 2082 2083 2100 2103 2105 2121 2181 2199 2207 2222 2224 2323 2362 2375 2376 2379 2380 2381 2443 2525 2533 2598 2601 2604 2638 2809 2947 2967 3000 3001 3003 3033 3037 3050 3057 3071 3083 3128 3200 3217 3220 3260 3268 3269 3273 3299 3300 3306 3311 3312 3351 3389 3460 3500 3502 3628 3632 3690 3780 3790 3817 3871 3872 3900 4000 4092 4322 4343 4353 4365 4366 4368 4369 4406 4433 4443 4444 4445 4567 4659 4679 4730 4786 4840 4848 4949 4950 4987 5000 5001 5007 5022 5037 5038 5040 5051 5060 5061 5093 5168 5222 5247 5250 5275 5347 5351 5353 5355 5392 5400 5405 5432 5433 5498 5520 5521 5554 5555 5560 5580 5601 5631 5632 5666 5671 5672 5683 5800 5814 5900 5901 5902 5903 5904 5905 5906 5907 5908 5909 5910 5911 5920 5938 5984 5985 5986 5988 5989 6000 6001 6002 6050 6060 6070 6080 6082 6101 6106 6112 6161 6262 6379 6405 6443 6481 6502 6503 6504 6514 6542 6556 6660 6661 6667 6905 6988 7000 7001 7002 7021 7070 7071 7077 7080 7100 7144 7181 7210 7373 7443 7474 7510 7547 7579 7580 7676 7700 7770 7777 7778 7787 7800 7801 7879 7902 8000 8001 8003 8006 8008 8009 8010 8012 8014 8020 8023 8028 8030 8080 8081 8082 8083 8086 8087 8088 8089 8090 8095 8098 8099 8100 8123 8127 8161 8172 8180 8181 8182 8205 8222 8300 8303 8333 8400 8443 8444 8445 8471 8488 8500 8503 8530 8531 8545 8649 8686 8787 8800 8812 8834 8850 8871 8880 8883 8888 8889 8890 8899 8901 8902 8903 8983 9000 9001 9002 9042 9060 9080 9081 9084 9090 9091 9092 9099 9100 9111 9152 9160 9200 9300 9380 9390 9391 9401 9418 9440 9443 9471 9495 9524 9527 9530 9593 9594 9595 9600 9809 9855 9999 10000 10001 10008 10050 10051 10080 10098 10162 10202 10203 10250 10255 10257 10259 10443 10616 10628 11000 11099 11211 11234 11333 12174 12203 12221 12345 12379 12397 12401 13364 13500 13778 13838 14330 15200 15671 15672 16102 16443 16992 16993 17185 17200 17472 17775 17776 17777 17778 17781 17782 17783 17784 17790 17791 17798 18264 18881 19300 19810 19888 20000 20010 20031 20034 20101 20111 20171 20222 20293 22222 23472 23791 23943 25000 25025 25565 25672 26000 26122 27000 27017 27018 27019 27080 27888 28017 28222 28784 30000 31001 31099 32764 32844 32913 33060 34205 34443 34962 34963 34964 37718 37777 37890 37891 37892 38008 38010 38080 38102 38292 40007 40317 41025 41080 41523 41524 44334 44343 44818 45230 46823 46824 47001 47002 47290 48899 49152 50000 50013 50021 50051 50070 50090 50121 51443 52302 52311 54321 54921 54922 54923 55553 55580 57772 61614 61616 62078 62514 65002 65535

Prescan modes for large IP spaces

Sometimes, the scope of your IP space is unknown, subnet usage is unknown, and the total number of assets is unknown. These unknowns can make it challenging to optimize your discovery scans for efficiency and speed. And when your IP space is large, like a /16 space with a few thousand IPs in use, a full discovery scan can take more time to complete, since it looks at more than 500 TCP ports and 15 UDP ports on every address. In these types of cases, you may want to tune your scan settings to prefilter ranges and IP addresses before a full scan.

runZero has two prescan modes that you can use to run a faster scan: subnet sampling and host ping.

Subnet sampling

Community Platform

To speed up scans of large subnets you can use the “Only scan subnets with active hosts” advanced scan option. If this option is on, a prescan runs against the target space to identify the subnets with an active host. This mode leverages heuristics runZero has collected to identify addresses that are more likely to be responsive across subnets. This process allows runZero to quickly scan larger spaces by identifying the subnets that are in use, before starting full probes. All subnets that are identified as having active hosts are then fully scanned – unless you enable host pings.

There are two tweakable parameters for subnet sampling. The sample rate determines what percentage of addresses in each subnet are prescanned to determine if the subnet should be scanned. The subnet size determines how many IP addresses are in each subnet. By default, the subnet size is 256 addresses, corresponding to a /24 subnet, and 3% of the addresses in each subnet are prescanned.

Host ping

After you have some insights on the subnets that are in use, you may want to limit the full scan to only addresses that respond to the most common ping methods, such as ICMP and some TCP and UDP ports. If you choose the “Limit scans to pingable hosts” advanced scan option, only hosts that respond to a ping request will be fully scanned.

The runZero Explorer uses multiple protocols for ping scans:

  • Conventional ICMP ping, performed by sending an ICMP echo request and looking for an ICMP echo reply.
  • TCP ping, performed by sending a TCP SYN packet to a series of common ports and seeing whether the host responds with RST or TCP SYN/ACK.
  • UDP ping, performed by sending a packet to port 65535 and checking for an ICMP response of port unreachable.

The set of ports used for TCP and UDP ping can be adjusted in the LAYER2 section of the Probes and SNMP tab when setting up a scan task.

Note that it is relatively common for enterprise firewalls to be set up to block ping, or for hosts to be set up not to respond to ping requests. Limiting scans to pingable hosts can therefore result in assets being missed entirely, even if their IP addresses are probed. If your goal is to speed up scan times, subnet sampling is usually the better option.

It’s possible to use both subnet sampling and limiting scans to pingable hosts at the same time, but this is not recommended except as a last resort for reducing scan times.

Updated